WP All Import/Export Plugin Vulnerabilities: CVE-2024-8722/9664/9661/7425/7419 Advisory

Vulnerability Overview This security update addresses multiple versions of the WP All Import and WP All Export plugins, patching the following critical vulnerabilities: WP All Import Pro 4.9.8 and WP All Import Free 3.8.0: CVE-2024-8722: Stored Cross-Site Scripting (XSS) via SVG file upload by authenticated administrators (Administrator+). CVE-2024-9664: PHP Object Injection via file import by authenticated administrators (Administrator+). CVE-2024-9661: Cross-Site Request Forgery (CSRF) that can lead to the deletion of imported content. WP All Export Pro 1.9.2: CVE-2024-7425: Remote Code Execution (RCE) triggered by authenticated administrators with WooCommerce product management permissions (Shop Manager+). CVE-2024-7419: Unauthenticated Remote Code Execution (RCE) via custom export fields. Note: The free version of WP All Export is not affected by the aforementioned vulnerabilities. Scope of Impact CVE-2024-7425: Users with WooCommerce product management permissions (e.g., Shop Manager) who input malicious code into product fields and process them via Google Merchant Center exports may experience privilege escalation and site takeover. CVE-2024-7419: If a site stores malicious data in custom fields (e.g., WooCommerce order address fields) and the export configuration includes these fields, site takeover may occur if the data is properly crafted during export execution. CVE-2024-9661: Requests sent to the correct endpoint may result in the deletion of previously imported data or the deletion of import history. CVE-2024-9664: Requires authenticated administrator privileges. An attacker must import serialized strings containing malicious PHP objects. If the site possesses additional POP chains (PHP Object Payloads), code execution may occur. The WordPress function may also present similar risks. CVE-2024-8722: Requires authenticated administrator privileges. An attacker must import SVG files containing malicious JavaScript payloads. The JavaScript executes when the SVG is viewed. Exploitation is possible only if an administrator manually creates or imports data containing malicious SVGs. Note: According to official sources, there are currently no known cases of these vulnerabilities being exploited maliciously; however, immediate updates are recommended to prevent scanning attacks. Remediation Steps 1. Backup Your Site: Always back up your site before making any significant changes or updating plugins. 2. Automatic Updates: Navigate to the WP Admin Dashboard. Go to Plugins > Installed Plugins. Locate WP All Import or WP All Export. Click Update (if available). 3. Manual Update (if necessary): Deactivate and delete the old version of the plugin (import/export data and settings will remain in the database). Download the latest version from the Customer Portal (Pro version) or WordPress.org (Free version). Install and activate the new version.

Goal Reached Thanks to every supporter — we hit 100%!

WP All Import/Export Plugin Vulnerabilities: CVE-2024-8722/9664/9661/7425/7419 Advisory